Remoteform and Drupal8

[mlutfy]

This one particularly confused me, so maybe it can help others:

To my understanding, Drupal8 handles CORS rather differently that Drupal7:
https://www.drupal.org/node/2715637

To get remoteform to work, I had to do the following to the services.yml of my site (in sites/default/services.yml)

---

parameters:

  cors.config:
    enabled: true
    # Specify allowed headers, like 'x-allowed-header'.
    allowedHeaders: ['content-type', 'authorization']
    # Specify allowed request methods, specify ['*'] to allow all possible ones.
    allowedMethods: ['GET', 'POST']
    # Configure requests allowed from specific origins.
    allowedOrigins: ['https://www.example.org']
    # Sets the Access-Control-Expose-Headers header.
    exposedHeaders: false
    # Sets the Access-Control-Max-Age header.
    maxAge: false
    # Sets the Access-Control-Allow-Credentials header.
    supportsCredentials: false

then flush cache (drush cr).

[jmcclelland]

Thank you for posting this! We should figure out a way to include this in the docs.

[JoeMurray]

Maybe even make it a mini-contrib module for the D8 remote site.

[mlutfy]

Mikey on the chat sent me this link :
https://www.drupal.org/docs/drupal-apis/services-and-dependency-injection/altering-existing-services-providing-dynamic

[jackrabbithanna]

We've had to do that exact same thing in a services.yml file for one site
You can give services settings in a module_name.services.yml file

in a custom module, say custom_cors
custom_cors.services.yml
change your settings to what you want here

parameters:
  cors.config:
    enabled: true
    # Specify allowed headers, like 'x-allowed-header'.
    allowedHeaders: ['Content-type']
    # Specify allowed request methods, specify ['*'] to allow all possible ones.
    allowedMethods: ['*']
    # Configure requests allowed from specific origins.
    allowedOrigins: []
    # Sets the Access-Control-Expose-Headers header.
    exposedHeaders: false
    # Sets the Access-Control-Max-Age header.
    maxAge: 3600
    # Sets the Access-Control-Allow-Credentials header.
    supportsCredentials: true

If you want to override the cors service use a Service provider / Service Modifier, can really do anything you want by overriding the different methods.

in a src/CustomCorsServiceProvider.php

<?php

namespace Drupal\custom_cors;

use Drupal\Core\DependencyInjection\ContainerBuilder;
use Drupal\Core\DependencyInjection\ServiceProviderBase;


/**
 * Alter the service container to use a custom class.
 */
class CustomCorsServiceProvider implements ServiceProviderBase {

  /**
   * {@inheritdoc}
   *
   * Overrides the CORS service (http_middleware.cors) to change some
   * functionality.
   */
  public function alter(ContainerBuilder $container) {
    $container->getDefinition('http_middleware.cors')->setClass(CustomCors::class);
  }
}

Then a service class, in src/CustomCors.php

<?php

namespace Drupal\custom_cors;

use Asm89\Stack\Cors;
use Symfony\Component\HttpKernel\HttpKernelInterface;

/**
 * Add Allowed Origins white listed domains list
 */
class CustomCors extends Cors {
// do cool custom stuff

[jackrabbithanna]

Now that I think about it, this approach would be great in combination with this extension. This custom module we have has an admin form where the admin user can enter allowed domains .. so it plugs that security hole real well. You only allow CORS connections from domains you whitelist.

All it takes is the config form, and then load the config settings set the values for the 'allowedOrigins' service parameter in the custom service constructor.

[mlutfy]

Thanks Mark, those are really good leads.

I was wondering why Drupal does not already have a module to handle CORS configs? Would it be hard to extract your existing code from a custom module, and post it on drupal.org? (It's not specific to remoteforms)

On the other hand, if editing services.yml is the recommended method (imho it assumes that Drupal 8/9 admins are fairly technical, but maybe that's accurate), a module might not be necessary?

[jackrabbithanna]

Correct, a module is not necessary .. allowedOrigins can other things can be edited in the site's global services.yml.
I could make the custom we had a module, maybe call it cors_whitelist or something .. I'll think about what we have and make sure it's general enough and see about putting on Drupal.org